Closed lread closed 1 month ago
lread
commented
1 month ago Oh yeah, it is just simple logging from dependency-check.
There are other interesting/important things dependency-check logs, so turning on info-level logging would make sense, at least for certain packages. (Clj-watson currently disables all dependency-check logging via org.slf4j/slf4j-nop
seancorfield
commented
1 month ago Sounds like a reasonable approach to enable logging (although it's going to make it real chatty!).
Do you think a way to set the logging level should be provided, so folks can reduce the chattiness if they don't care?
lread
commented
1 month ago Thanks Sean,
Do you think a way to set the logging level should be provided, so folks can reduce the chattiness if they don't care?
Yeah, we should probably think about this and allow for this while adding in our logging configuration defaults. But we probably don't need to document how to change logging config until folks ask for it?
A bit annoying that the chatty bit (Completed processing batch 1/130 (1%) in 3,202ms) is in the same namespace and also at info log level. But personally, I'd rather this kind of noise than nothing here.
lread
commented
1 month ago If we were super interested in entirely controlling logging to our logging whims during this phase, we could re-implement dependency-check's processApi in clj-watson. It doesn't look like rocket science. But also, another thing to maintain and compare against changes in dependency-check, which is not attractive.
lread
commented
1 month ago And to be clear, my examples above were for a complete db download. Here's a complete example of an update:
[2024-08-01 00:30:30.040] INFO Engine - Checking for updates
[2024-08-01 00:30:33.018] INFO NvdApiDataSource - NVD API has 201 records in this update
[2024-08-01 00:30:33.183] INFO NvdApiDataSource - Downloaded 201/201 (100%)
[2024-08-01 00:30:33.496] INFO NvdApiDataSource - Completed processing batch 1/1 (100%) in 365ms
[2024-08-01 00:30:33.616] INFO KnownExploitedDataSource - Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
[2024-08-01 00:30:34.132] INFO CveDB - Begin database defrag
[2024-08-01 00:30:37.923] INFO CveDB - End database defrag (3794 ms)
[2024-08-01 00:30:37.925] INFO Engine - Check for updates complete (7884 ms)Which I personally do not find overly noisy.
seancorfield
commented
1 month ago Is this closed by #73 as well, or is there more to do? The level of logging shown above in your recent comment looks good to me.
lread
commented
1 month ago I think we can close, @seancorfield. We'll likely come back to logging for other reasons, but this issue is, in my opinion, addressed.
seancorfield
commented
1 month ago Thanks.
Currently
There is no feedback during the download of the nvd database.
Example output:
But..
Downloads can take a few to several minutes; and recently much longer due to some issues. So it would be nice to get some idea that work is being done and how far along that work is.
Inspiration
For inspiration, nvd-clojure emits feedback like so while downloading:
And more feedback while applying the updates:
And closes with:
I haven't verified yet, but it seems like nvd-clojure is just using existing logging from depedency-check.
Proposal
Let's look at our options for providing more feedback here and do something about it. Perhaps using dependency-check logging is the best way, but it's probably worth a quick glance to see if there are other ways.
For example, the status of applying the updates is on the noisy side for something that happens so quickly.
Next steps
I am happy to discuss further, and if/when we agree, I can create a PR.